Security - Frequently Asked Questions
Where is data stored?
Data is held across two UK data centre locations for resilience. Where a customer requires alternative data homing, this is available as part of our Enterprise offering, which includes US, Canada and EU data centres.
The geographically dispersed datacenters comply with key industry standards including ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. There is a layered approach to physical security and the data centres have extensive layers of protection including access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. Fences, video monitoring and security patrols protect the external perimeter. Inside, movement is controlled by two-factor authentication with biometric controls.
How is data secured?
Data is encrypted during transport and at rest. That means that all data is secured between users’ browsers and our servers using TLS (Transport Level Security, the successor technology to SSL). Data is encrypted while stored on servers (encryption at rest). There are a wide range of technical measures used, including multiple firewall technologies and intrusion prevention and intrusion detection measures as well as monitoring and alerting.
SurveyOptic implements data marking and classification, as well as role-based access control. This ensures the access is restricted to those who need it, and that the data is only accessible to those who are authorised to see it. Where data is marked as PII (personally identifiable information), additional controls are applied to ensure the highest levels of confidentiality.
Will I be notified if there is a breach?
Both UK GDPR and EU GDPR require notification within 72 hours of becoming aware of a breach, where feasible. We have processes to ensure that we meet this requirement, should this ever be required, and our internal SLA is to notify within 24 hours.
Does SurveyOptic make me GDPR compliant?
No product can make you GDPR compliant, as compliance is a process, not a purchase, in much the same way that no guitar manufacturer can promise that buying their guitar will make you a successful rock guitarist. However, SurveyOptic provides all of the tools that you need to meet the requirements of GDPR (both UK GDPR and EU GDPR) as well as a range of other data regulations, and we are continually reviewing and expanding the features available. This includes responding to data subject access requests, right to erasure, records of processing and a range of other features that will greatly reduce the effort of being, and remaining, compliant with current and future compliance requirements.
SocialOptic holds a Whole Organisation Cyber Essentials Plus certification and has a published NHS Data Security and Protection Toolkit assessment based on the UK National Data Guardian’s 10 data security standards. This means that our security is externally tested and audited. SocialOptic is registered with the ICO in the UK - ZA092349.